LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Enabling and Disabling LDAP-UX Logging
When a program or service is behaving incorrectly, enabling logging is one way to examine the
events that occur to determine where the problem is. Enable LDAP-UX Client Services logging
on a particular client as follows:
1. Edit the local startup file /etc/opt/ldapux/ldapux_client.conf and uncomment
the lines starting with #log_facility and #log_level by removing the initial # symbol.
You can set log_level to LOG_INFO to log only unusual events. If LOG_INFO is not
adequate to identify the problem, set log_level to LOG_DEBUG to log trace information.
LOG_DEBUG provides more information, but significantly reduces performance and generates
large log files on active systems.
2. Edit the file /etc/syslog.conf and add a new line at the bottom:
local0.debug <tab> /var/adm/syslog/local0.log
where <tab> is the Tab key on your keyboard.
3. Restart the syslogdaemon with the following command: (Refer to syslogd(1M) for details.)
kill -HUP 'cat /var/run/syslog.pid'
4. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem.
5. Disable logging by commenting out the log_facility and log_level lines in the startup
file /etc/opt/ldapux/ldapux_client.conf. Comment them out by inserting a #
symbol in the first column.
6. Examine the log file at /var/adm/syslog/local0.log to see what actions were performed
and if any are unexpected.
TIP: Enable LDAP logging only long enough to collect the data you need because logging can
significantly reduce performance and generate large log files.
You may want to move the existing log file and start with an empty file:
mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.save
Restart the syslogdaemon with the following command: (Refer to syslogd(1M)or details.)
kill -HUP 'cat /var/run/syslog.pid'.
Enabling and Disabling PAM Logging
When something is behaving incorrectly, enabling logging is one way to examine the events that
occur to determine where the problem is. Complete the following steps to enable PAM logging
on a particular client. Refer to pam(1), pam.conf(4), and Managing Systems and Workgroups for more
information about PAM.
1. Add the debug option to each line in /etc/pam.conf that contains libpam_krb5.1. For
example:
login account sufficient /usr/lib/security/libpam_krb5.1 debug
login account required /usr/lib/security/libpam_unix.1
su account sufficient /usr/lib/security/libpam_krb5.1 debug
su account required /usr/lib/security/libpam_unix.1
...
2. Edit the file /etc/syslog.confand add a new line at the bottom similar to the following:
*.debug <tab>/var/adm/syslog/debug.log
3. Restart the syslog daemon with the following command. (Refer to syslogd(1M) for details.)
kill -HUP 'cat /var/run/syslog.pid'
146 Administering LDAP-UX Client Services